[CentOS] How to prevent root from managing/disabling SELinux

Mon Jan 26 20:29:23 UTC 2015
Daniel J Walsh <dwalsh at redhat.com>

On 01/23/2015 06:01 PM, Stephen Harris wrote:
> At work I'm used to tools like eTrust Access Control (aka SEOS).  eTrust
> takes away the ability to manage the eTrust config from root and puts it
> in the hands of "security admin".  So there's a good separation of duties;
> security admin control the security ruleset, but are limited by the OS
> permissions (so even if they granted themselves permission to modify
> /etc/shadow, the standard OS permissions would block them) and system admins
> control the OS (so they can be root, but can't override eTrust).
>
> Ideally this type of separation would be useful in the SELinux world
> as well.  OK, maybe this is a bit of an overkill for my own machines,
> but then I do have bastion hosts and internal segmented networking at
> home; I do overkill at times :-)
>
> The problem is that I can't see how to prevent this.  There are too many
> access points (not just the CLI tools but the pp files and the /sys tree
> and I don't know what else).
>
> I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
> has security_t so maybe a policy that deny's everyone except a new
> security_admin_t permission to modify those files might work?
>
> Has anyone actually attempted this?
>
You would need to disable the unconfined.pp module and the
unconfineduser.pp module
and run all of your users as confined user including the admin user as
sysadm_t.

You could also set the secure_ booleans

 getsebool -a | grep secure_*
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off